| 57 |
- |
1 |
# For proper IPv6 Neighbour Discovery functioning, the unicast
|
|
|
2 |
# reply must be sent in plaintext) even if we have an IPsec SA
|
|
|
3 |
# for the destination - in case the other end rebooted and is
|
|
|
4 |
# trying to find us. Without this policy hole, the neighbour discovery
|
|
|
5 |
# answer packet is caught by the kernel, which informs the IKE
|
|
|
6 |
# daemon via ACQUIRE and the host sends out an IKE packet, which
|
|
|
7 |
# does go through the UDP hole, but the other end hasn't received
|
|
|
8 |
# the neighbour discovery answer packet, so cannot respond to our
|
|
|
9 |
# IKE packet
|
|
|
10 |
#
|
|
|
11 |
# ipv6-icmp Neighbor Discovery is Type 136, Code 0. As per RFC
|
|
|
12 |
# 4301/5996, icmp type is put in the most significant 8 bits and
|
|
|
13 |
# icmp code is in the least significant 8 bits of port field.
|
|
|
14 |
# proto is 58 (ipv6-icmp)
|
|
|
15 |
# type = 136 (0x88)
|
|
|
16 |
# code = 0
|
|
|
17 |
# so "port" in protoport is 0x8800 or 34816 in decimal
|
|
|
18 |
# hence protoport=58/0x8800
|
|
|
19 |
#
|
|
|
20 |
# Similarly Neighbor Sollicitation is 0x8700 (34560)
|
|
|
21 |
|
|
|
22 |
conn v6neighbor-hole-in
|
|
|
23 |
left=::1
|
|
|
24 |
leftsubnet=::0/0
|
|
|
25 |
leftprotoport=58/34560
|
|
|
26 |
rightprotoport=58/34816
|
|
|
27 |
rightsubnet=::0/0
|
|
|
28 |
right=::0
|
|
|
29 |
connaddrfamily=ipv6
|
|
|
30 |
authby=never
|
|
|
31 |
type=passthrough
|
|
|
32 |
auto=route
|
|
|
33 |
priority=1
|
|
|
34 |
|
|
|
35 |
conn v6neighbor-hole-out
|
|
|
36 |
left=::1
|
|
|
37 |
leftsubnet=::0/0
|
|
|
38 |
leftprotoport=58/34816
|
|
|
39 |
rightprotoport=58/34560
|
|
|
40 |
rightsubnet=::0/0
|
|
|
41 |
right=::0
|
|
|
42 |
connaddrfamily=ipv6
|
|
|
43 |
authby=never
|
|
|
44 |
type=passthrough
|
|
|
45 |
auto=route
|
|
|
46 |
priority=1
|